nixpkgs/pkgs/applications/virtualization/virtualbox/hardened.patch

diff --git a/src/VBox/HostDrivers/Support/SUPR3HardenedVerify.cpp b/src/VBox/HostDrivers/Support/SUPR3HardenedVerify.cpp
index c39d2f7..cd19186 100644
--- a/src/VBox/HostDrivers/Support/SUPR3HardenedVerify.cpp
+++ b/src/VBox/HostDrivers/Support/SUPR3HardenedVerify.cpp
@@ -1415,7 +1415,7 @@ static int supR3HardenedVerifyFsObject(PCSUPR3HARDENEDFSOBJSTATE pFsObjState, bo
         NOREF(fRelaxed);
 #else
         NOREF(fRelaxed);
-        bool fBad = true;
+        bool fBad = !(fDir && pFsObjState->Stat.st_mode & S_ISVTX && !suplibHardenedStrCmp(pszPath, "/nix/store"));
 #endif
         if (fBad)
             return supR3HardenedSetError3(VERR_SUPLIB_WRITE_NON_SYS_GROUP, pErrInfo,
@@ -1424,9 +1424,10 @@ static int supR3HardenedVerifyFsObject(PCSUPR3HARDENEDFSOBJSTATE pFsObjState, bo
     }
 
     /*
-     * World must not have write access.  There is no relaxing this rule.
+     * World must not have write access.
+     * There is no relaxing this rule, except when it comes to the Nix store.
      */
-    if (pFsObjState->Stat.st_mode & S_IWOTH)
+    if (pFsObjState->Stat.st_mode & S_IWOTH && suplibHardenedStrCmp(pszPath, "/nix/store"))
         return supR3HardenedSetError3(VERR_SUPLIB_WORLD_WRITABLE, pErrInfo,
                                       "World writable: '", pszPath, "'");
 
diff --git a/src/VBox/Main/src-server/MachineImpl.cpp b/src/VBox/Main/src-server/MachineImpl.cpp
index 95dc9a7..39170bc 100644
--- a/src/VBox/Main/src-server/MachineImpl.cpp
+++ b/src/VBox/Main/src-server/MachineImpl.cpp
@@ -7326,7 +7326,7 @@ HRESULT Machine::i_launchVMProcess(IInternalSessionControl *aControl,
 
     /* get the path to the executable */
     char szPath[RTPATH_MAX];
-    RTPathAppPrivateArch(szPath, sizeof(szPath) - 1);
+    RTStrCopy(szPath, sizeof(szPath) - 1, "/var/setuid-wrappers");
     size_t cchBufLeft = strlen(szPath);
     szPath[cchBufLeft++] = RTPATH_DELIMITER;
     szPath[cchBufLeft] = 0;
virtualbox: Enable hardening by default. VirtualBox with hardening support requires the main binaries to be setuid root. Using VBOX_WITH_RUNPATH, we ensure that the RPATHs are pointing to the libexec directory and we also need to unset VBOX_WITH_ORIGIN to make sure that the build system is actually setting those RPATHs. The hardened.patch implements two things: * Set the binary directory to the setuid-wrappers dir so that VboxSVC calls them instead of the binaries from the store path. The reason behind this is because nothing in the Nix store can have the setuid flag. * Excempt /nix/store from the group permission check, because while it is group-writeable indeed it also has the sticky bit set (and also the whole store is mounted read-only on most NixOS systems), so we're checking on that as well. Right now, the hardened.patch uses /nix/store and /var/setuid-wrappers directly, so someone would ever want to change those on a NixOS system, please provide a patch to set those paths on build time. However, for simplicity, it's best to do it when we _really_ need it. Signed-off-by: aszlig <aszlig@redmoonstudios.org> 2014-11-28 23:09:50 -08:00			`diff --git a/src/VBox/HostDrivers/Support/SUPR3HardenedVerify.cpp b/src/VBox/HostDrivers/Support/SUPR3HardenedVerify.cpp`
virtualbox: Allow /nix/store being world-writable. We are already checking whether /nix/store has the sticky bit set, so if it is world-writable as well it doesn't mean that the actual store path is writable. Let alone the fact that it is only writable during the build process. This should fix installing the extension pack when enableExtensionPack is used. Signed-off-by: aszlig <aszlig@redmoonstudios.org> 2014-11-30 09:19:00 -08:00			`index c39d2f7..cd19186 100644`
virtualbox: Enable hardening by default. VirtualBox with hardening support requires the main binaries to be setuid root. Using VBOX_WITH_RUNPATH, we ensure that the RPATHs are pointing to the libexec directory and we also need to unset VBOX_WITH_ORIGIN to make sure that the build system is actually setting those RPATHs. The hardened.patch implements two things: * Set the binary directory to the setuid-wrappers dir so that VboxSVC calls them instead of the binaries from the store path. The reason behind this is because nothing in the Nix store can have the setuid flag. * Excempt /nix/store from the group permission check, because while it is group-writeable indeed it also has the sticky bit set (and also the whole store is mounted read-only on most NixOS systems), so we're checking on that as well. Right now, the hardened.patch uses /nix/store and /var/setuid-wrappers directly, so someone would ever want to change those on a NixOS system, please provide a patch to set those paths on build time. However, for simplicity, it's best to do it when we _really_ need it. Signed-off-by: aszlig <aszlig@redmoonstudios.org> 2014-11-28 23:09:50 -08:00			`--- a/src/VBox/HostDrivers/Support/SUPR3HardenedVerify.cpp`
			`+++ b/src/VBox/HostDrivers/Support/SUPR3HardenedVerify.cpp`
			`@@ -1415,7 +1415,7 @@ static int supR3HardenedVerifyFsObject(PCSUPR3HARDENEDFSOBJSTATE pFsObjState, bo`
			`NOREF(fRelaxed);`
			`#else`
			`NOREF(fRelaxed);`
			`- bool fBad = true;`
			`+ bool fBad = !(fDir && pFsObjState->Stat.st_mode & S_ISVTX && !suplibHardenedStrCmp(pszPath, "/nix/store"));`
			`#endif`
			`if (fBad)`
			`return supR3HardenedSetError3(VERR_SUPLIB_WRITE_NON_SYS_GROUP, pErrInfo,`
virtualbox: Allow /nix/store being world-writable. We are already checking whether /nix/store has the sticky bit set, so if it is world-writable as well it doesn't mean that the actual store path is writable. Let alone the fact that it is only writable during the build process. This should fix installing the extension pack when enableExtensionPack is used. Signed-off-by: aszlig <aszlig@redmoonstudios.org> 2014-11-30 09:19:00 -08:00			`@@ -1424,9 +1424,10 @@ static int supR3HardenedVerifyFsObject(PCSUPR3HARDENEDFSOBJSTATE pFsObjState, bo`
			`}`

			`/*`
			`- * World must not have write access. There is no relaxing this rule.`
			`+ * World must not have write access.`
			`+ * There is no relaxing this rule, except when it comes to the Nix store.`
			`*/`
			`- if (pFsObjState->Stat.st_mode & S_IWOTH)`
			`+ if (pFsObjState->Stat.st_mode & S_IWOTH && suplibHardenedStrCmp(pszPath, "/nix/store"))`
			`return supR3HardenedSetError3(VERR_SUPLIB_WORLD_WRITABLE, pErrInfo,`
			`"World writable: '", pszPath, "'");`

virtualbox: Enable hardening by default. VirtualBox with hardening support requires the main binaries to be setuid root. Using VBOX_WITH_RUNPATH, we ensure that the RPATHs are pointing to the libexec directory and we also need to unset VBOX_WITH_ORIGIN to make sure that the build system is actually setting those RPATHs. The hardened.patch implements two things: * Set the binary directory to the setuid-wrappers dir so that VboxSVC calls them instead of the binaries from the store path. The reason behind this is because nothing in the Nix store can have the setuid flag. * Excempt /nix/store from the group permission check, because while it is group-writeable indeed it also has the sticky bit set (and also the whole store is mounted read-only on most NixOS systems), so we're checking on that as well. Right now, the hardened.patch uses /nix/store and /var/setuid-wrappers directly, so someone would ever want to change those on a NixOS system, please provide a patch to set those paths on build time. However, for simplicity, it's best to do it when we _really_ need it. Signed-off-by: aszlig <aszlig@redmoonstudios.org> 2014-11-28 23:09:50 -08:00			`diff --git a/src/VBox/Main/src-server/MachineImpl.cpp b/src/VBox/Main/src-server/MachineImpl.cpp`
			`index 95dc9a7..39170bc 100644`
			`--- a/src/VBox/Main/src-server/MachineImpl.cpp`
			`+++ b/src/VBox/Main/src-server/MachineImpl.cpp`
			`@@ -7326,7 +7326,7 @@ HRESULT Machine::i_launchVMProcess(IInternalSessionControl *aControl,`

			`/* get the path to the executable */`
			`char szPath[RTPATH_MAX];`
			`- RTPathAppPrivateArch(szPath, sizeof(szPath) - 1);`
			`+ RTStrCopy(szPath, sizeof(szPath) - 1, "/var/setuid-wrappers");`
			`size_t cchBufLeft = strlen(szPath);`
			`szPath[cchBufLeft++] = RTPATH_DELIMITER;`
			`szPath[cchBufLeft] = 0;`